Hi everyone, Bryan here. I’m at the RSA Conference Europe this week to present “When a Billion Laughs Are Not So Funny: Application-Level Denial of Service Attacks.” I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I’ll make your app consume $20,000 worth of server resources. My talk this week covers some of the many ways attackers can exploit DoS vulnerabilities in SaaS, and what we as developers can do to find and prevent these vulnerabilities.
One of the vulnerabilities I’ll be talking about is the regular expression DoS (or ReDoS) brought to light by Checkmarx researchers at the OWASP Israel 2009 conference. Until now, the only way to detect ReDoS vulnerabilities was through manual code review. So I’m pleased to announce the immediate availability of a new tool, the SDL Regex Fuzzer, as a free download. SDL Regex Fuzzer will evaluate regular expression patterns to determine whether they could be vulnerable to ReDoS. It usually takes only a few seconds of testing to make a determination. And like the rest of the suite of SDL tools, SDL Regex Fuzzer integrates with the SDL Process Template and MSF-Agile+SDL Process Template to help you track and eliminate detected vulnerabilities. Give it a try and let us know what you think.